Candidate: CVE-2021-27577
PublicDate: 2021-06-29 12:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27577
 https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cannounce.trafficserver.apache.org%3E
 https://github.com/apache/trafficserver/pull/7945 (8.1.x)
 https://github.com/apache/trafficserver/commit/2b13eb33794574e62249997b4ba654d943a10f2d (master)
 https://github.com/apache/trafficserver/commit/b82a3d192f995fb9d78e1c44d51d9acca4783277 (8.1.x)
Description:
 Incorrect handling of url fragment vulnerability of Apache Traffic Server
 allows an attacker to poison the cache. This issue affects Apache Traffic
 Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990303
Priority: medium
Discovered-by: Iustin Ladunca
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_trafficserver:
upstream_trafficserver: released
trusty_trafficserver: ignored (out of standard support)
trusty/esm_trafficserver: DNE
xenial_trafficserver: ignored (out of standard support)
bionic_trafficserver: needs-triage
focal_trafficserver: needed
groovy_trafficserver: ignored (reached end-of-life)
hirsute_trafficserver: ignored (reached end-of-life)
impish_trafficserver: needed
jammy_trafficserver: needed
devel_trafficserver: needed